I am evaluating Pritunl and have signed up for Pritunl Premium.
The User Groups feature would appear to provide the ACL capability I would like have but I cannot find how to implement it.
- Is it available on the Premium version?
- Assuming it is available, where can I find detail on how to set it up?
- If it is not available on Premium, is there another practical way to limit clients access to some resources?
Thank you for any assistance.
An enterprise subscription is required for the groups option. Organizations should be used as groups. If there are overlapping access control requirements the groups option can be used instead.
To use user groups all singe sign-on users must be in one organization. The organization then needs to be attached to all servers. Then the groups option in each server can be configured to select which user groups will have access to that server.
To apply user groups the following commands will switch the single sign-on from matching organizations to copying the groups from the single sign-on provider to the Pritunl user. For SAML providers the
groups SAML attribute can be used to set the user groups.
sudo pritunl set app.sso_azure_mode '"groups"'
sudo pritunl set app.sso_authzero_mode '"groups"'
sudo pritunl set app.sso_google_mode '"groups"'
It is also possible to manually set user groups in the user settings but this would be overwritten if the user is using single sign-on.
Thank you for your extremly prompt response (as always!).
The combination of US$ and the price per month makes the Enterprise option a “bridge too far” for our small organisation. With the rapidily changing rate between AU$ and US$, too hard to even budget!
Nice product BTW.
For clarity, in the Premium version, can I assume that there is no way to restrict what users can access?
Just in case I am missing something obvious.
Organizations are intended to function as groups. Users will only have access to the servers that the users organization are attached to. Multiple servers can be created to handle different sets of routes. The user groups are only intended for configurations that can’t be handled by multiple organizations.
Does this mean it doesn’t matter what Azure AD group the user is a member of? As long as they are a user is the Azure Ad organization that is connected to the server?
The Azure groups would be matched to an existing Pritunl organization by default. If the groups mode is used then the Azure groups would be copied to the Pritunl user groups. Assuming the server has groups configured then both the organization and at least one group must match. If the server has no groups configured user groups are ignored and only the organization must match.
How does the system behave when a user belongs to multiple Azure groups and each one of those groups are defined as an Organization in Pritunl? For example:
Let’s say user1 belongs to Azure groups, vpn-group1, vpn-group2 and vpn-group3. In Pritunl, there are three organizations also called vpn-group1, vpn-group2 and vpn-group3. Also, in Pritunl, there are three servers. Server1 is attached to vpn-group1, server2 is attached to vpn-group2, etc.
When user1 logs into the Pritunl web portal, which organization/sever will the user be assigned to?
The organizations are sorted and the first matching organization is used.
Just to clarify, does the system sort the user’s Azure group AND the pritunl organizations before it tries to do a match?
From the example above, the user’s group are: vpn-group1, vpn-group2, vpn-group3
The pritunl organizations are: vpn-group1, vpn-group2, vpn-group3
In this example, the user would be placed in organization “vpn-group1”. This is correct?
The sorting is handled in here the handlers/sso.py file. The python
sorted() function is used to iterate through each group and match to the first organization found in the database.
Thanks Zach, this makes sense now…
Regarding this User Azure Group mapping to Pritunl Organizations; is it only done on the initial user login to the Pritunl web portal?
For example, if the user initially logs in with Azure group “vpn-group1” and is mapped to organization “vpn-group1” ; what happens if the user’s Azure group changes to “vpn-group2” ? Will the user automatically get re-mapped to organization “vpn-group2” on the pritunl side?
Yes user organizations are only set when logging into the web console.